Scenario 1: Basic authentication and identity assertion

This example presents a pure Java client, C, that accesses a secure enterprise bean on server, S1, through user "bob." The enterprise bean code on S1 accesses another enterprise bean on server, S2. This configuration uses identity assertion to propagate the identity of "bob" to the downstream server, S2. S2 trusts that "bob" already is authenticated by S1 because it trusts S1. To gain this trust, the identity of S1 also flows to S2 simultaneously and S2 validates the identity by checking the trustedPrincipalList to verify that it is a valid server principal. S2 also authenticates S1. The following steps take you through the configuration of C, S1, and S2.

Configuring client, C

Point the client to the sas.client.props file using the com.ibm.CORBA.ConfigURL=file:/C:/was/properties/sas.client.props property.

All further configuration involves setting properties within this file.

Enable SSL.

In this case, SSL is supported but not required: com.ibm.CSI.performTransportAssocSSLTLSSupported=true,
com.ibm.CSI.performTransportAssocSSLTLSRequired=false

Enable client authentication at the message layer.

In this case, client
authentication is supported but not required: com.ibm.CSI.performClientAuthenticationRequired=false,
com.ibm.CSI.performClientAuthenticationSupported=true

Use all of the remaining defaults in the sas.client.props file.

Configuring server, S1

In the administrative console,
server S1 is configured for incoming requests to support message layer client
authentication and incoming connections to support SSL without client certificate
authentication. Server S1 is configured for outgoing requests to support identity
assertion.

Configuring server, S2

In the administrative console,
server S2 is configured for incoming requests to support identity
assertion and to accept SSL connections. Complete the following steps to configure
incoming connections. Configuration for outgoing requests and connections
are not relevant for this scenario.